Add libaudit support
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Light Display Manager |
Medium
|
Unassigned | |||
| 1.10 |
Medium
|
Unassigned | |||
| 1.14 |
Medium
|
Unassigned | |||
| 1.16 |
Medium
|
Unassigned | |||
| 1.2 |
Medium
|
Unassigned | |||
| lightdm (Ubuntu) |
Medium
|
Unassigned | |||
| Trusty |
Medium
|
Unassigned | |||
| Vivid |
Medium
|
Unassigned | |||
| Wily |
Medium
|
Unassigned | |||
| openssh (Debian) |
Fix Released
|
Unknown
|
|||
| openssh (Ubuntu) |
Medium
|
Unassigned | |||
| Trusty |
Medium
|
Mathieu Trudel-Lapierre | |||
| Vivid |
Low
|
Unassigned | |||
| Wily |
Medium
|
Unassigned | |||
| shadow (Ubuntu) |
Medium
|
Unassigned | |||
| Trusty |
Medium
|
Mathieu Trudel-Lapierre | |||
| Vivid |
Low
|
Unassigned | |||
| Wily |
Medium
|
Unassigned | |||
Bug Description
[Impact]
Auditing support is a commonly used feature in large enterprises, and allows better tracking of actions happening on secured systems, especially when it comes to accounting for login events.
Such systems fail to correctly list login events in aureport due to some software not integrating libaudit.
[Test Case]
1) Install auditd
2) Login to the system multiple times (or allow for others to connect to the system)
3) Run aureport -l
System should list login information.
[Regression Potential]
There is minimal risk for issues since libaudit support only allows for generating extra logging saved on the local system. A possible side-effect of this may be that systems on which auditing is enabled and where there are many users of the affected software (see bug tasks), such as many logins over SSH, there may be an increased demand on disk space necessary for the auditing data.
---
-- Problem Description --
We installed ubuntu 14.04.3 on lakelp1 and installed package auditd. We tried to
ssh to lakelp1 several times and found that "aureport -l" couldn't print out the login
info.
root@lakelp1:~# /etc/init.d/auditd status
* auditd is running.
root@lakelp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=38784 rate_limit=0 backlog_limit=320 lost=12 backlog=1
root@lakelp1:~# grep -i login /var/log/
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
root@lakelp1:~# aureport -l
Login Report
=======
# date time auid host term exe success event
=======
<no events of interest were found>
This looks like a bug in aureport or libaudit. In addition to giving admins falsely empty record selections, this would prevent successful completion of a Common Criteria certification.
Related branches
- Robert Ancell: Approve on 2015-09-07
- PS Jenkins bot: Needs Fixing (continuous-integration) on 2015-09-02
-
Diff: 157 lines (+68/-0)6 files modifiedconfigure.ac (+17/-0)
debian/changelog (+15/-0)
debian/control (+1/-0)
debian/lightdm.lightdm-autologin.pam (+1/-0)
debian/lightdm.pam (+1/-0)
src/session-child.c (+33/-0)
| tags: | added: architecture-ppc64le bugnameltc-127965 severity-critical targetmilestone-inin--- |
| affects: | ubuntu → audit (Ubuntu) |
| Changed in audit (Ubuntu): | |
| assignee: | nobody → Taco Screen team (taco-screen-team) |
| tags: |
added: targetmilestone-inin14043 removed: targetmilestone-inin--- |
| bugproxy (bugproxy) wrote : | #2 |
------- Comment From <email address hidden> 2015-07-29 14:29 EDT-------
This is not critical to have in 14.04.3 release for 8/06. However, it should go into service stream and must be in 16.04. According to George, it is a security issue in that it will falsely show that no logins took place when the admin specifically looks for them. It could cause an audit noncompliance for a variety of hardening standards (Common Criteria)
| tags: |
added: severity-high targetmilestone-inin1510 removed: severity-critical targetmilestone-inin14043 |
| Tyler Hicks (tyhicks) wrote : Re: ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 | #3 |
The bug is not in aureport or libaudit. aureport looks for AUDIT_USER_LOGIN events in the audit log but we're not generating them in login programs due to libaudit support not being enabled at build time or, in the case of lightdm, missing libaudit support.
Note that we are generating an AUDIT_LOGIN event from the kernel upon login but aureport and friends are looking for AUDIT_USER_LOGIN events from userspace.
This will require changes to a several packages. So far, I've been able to determine that openssh needs to be built with --enable-
The shadow package was recently modified to enable libaudit support (https:/
The util-linux source package can generate AUDIT_USER_INFO events from its login program but we're using the login program from the shadow source package. After looking at the util-linux source, I don't see a reason to build it against libaudit at this time.
| Tyler Hicks (tyhicks) wrote : | #4 |
I've created an upstream lightdm merge request to add login and logout auditing support:
https:/
I've also submitted the (simple) changes needed in the openssh package to Debian since Colin keeps the Debian and Ubuntu openssh package in sync:
| no longer affects: | audit (Ubuntu Trusty) |
| no longer affects: | audit (Ubuntu Vivid) |
| no longer affects: | audit (Ubuntu Wily) |
| Changed in audit (Ubuntu): | |
| status: | New → Invalid |
| Changed in lightdm (Ubuntu Wily): | |
| status: | New → Triaged |
| Changed in lightdm (Ubuntu Vivid): | |
| status: | New → Triaged |
| Changed in lightdm (Ubuntu Trusty): | |
| status: | New → Triaged |
| Changed in openssh (Ubuntu Trusty): | |
| status: | New → Triaged |
| Changed in openssh (Ubuntu Vivid): | |
| status: | New → Triaged |
| Changed in openssh (Ubuntu Wily): | |
| status: | New → Triaged |
| Changed in shadow (Ubuntu Wily): | |
| status: | New → Fix Released |
| Changed in shadow (Ubuntu Vivid): | |
| status: | New → Triaged |
| Changed in shadow (Ubuntu Trusty): | |
| status: | New → Triaged |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package openssh - 1:6.9p1-2
---------------
openssh (1:6.9p1-2) unstable; urgency=medium
[ Colin Watson ]
* mention-
invocation onto a separate line to make it easier to copy and paste
(LP: #1491532).
[ Tyler Hicks ]
* Build with audit support on Linux (closes: #797727, LP: #1478087).
-- Colin Watson <email address hidden> Thu, 10 Sep 2015 12:26:11 +0100
| Changed in openssh (Ubuntu Wily): | |
| status: | Triaged → Fix Released |
| Changed in lightdm: | |
| importance: | Undecided → Medium |
| status: | New → Fix Committed |
| milestone: | none → 1.17.0 |
| Changed in lightdm (Ubuntu Trusty): | |
| importance: | Undecided → Medium |
| Changed in lightdm (Ubuntu Vivid): | |
| importance: | Undecided → Medium |
| Changed in lightdm (Ubuntu Wily): | |
| importance: | Undecided → Medium |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package lightdm - 1.16.2-0ubuntu1
---------------
lightdm (1.16.2-0ubuntu1) wily; urgency=medium
* New upstream release:
- Fix compile failing without libinput
-- Robert Ancell <email address hidden> Wed, 16 Sep 2015 14:20:11 -0400
| Changed in lightdm (Ubuntu Wily): | |
| status: | Triaged → Fix Released |
| summary: |
- ISST-LTE: aureport -l couldn't print out login info on ubuntu 14.04.3 + Add libaudit support |
| Changed in audit (Ubuntu): | |
| assignee: | Taco Screen team (taco-screen-team) → nobody |
| tags: |
added: severity-medium removed: severity-high |
| Changed in lightdm: | |
| status: | Fix Committed → Fix Released |
------- Comment From <email address hidden> 2015-11-16 18:17 EDT-------
Because this is a security, we request this fix be included in 14.04 SRU please.
| Changed in openssh (Ubuntu Trusty): | |
| assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
| Changed in shadow (Ubuntu Trusty): | |
| assignee: | nobody → Mathieu Trudel-Lapierre (mathieu-tl) |
| description: | updated |
| Michael Hohnbaum (hohnbaum) wrote : | #8 |
Mathieu, any outlook for this SRU?
Hello bugproxy, or anyone else affected,
Accepted shadow into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in shadow (Ubuntu Trusty): | |
| status: | Triaged → Fix Committed |
| tags: | added: verification-needed |
| Steve Langasek (vorlon) wrote : | #10 |
Hello bugproxy, or anyone else affected,
Accepted openssh into trusty-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-
Further information regarding the verification process can be found at https:/
| Changed in openssh (Ubuntu Trusty): | |
| status: | Triaged → Fix Committed |
------- Comment From <email address hidden> 2016-01-31 23:04 EDT-------
Verified on Ubuntu14.04.4, this bug is not fixed.
root@monklp1:~# /etc/init.d/auditd status
* auditd is running.
root@monklp1:~# auditctl -e 1
AUDIT_STATUS: enabled=1 flag=1 pid=9417 rate_limit=0 backlog_limit=320 lost=2 backlog=0
root@monklp1:~# grep -i login /var/log/
type=LOGIN msg=audit(
type=LOGIN msg=audit(
type=LOGIN msg=audit(
root@monklp1:~# aureport -l
Login Report
=======
# date time auid host term exe success event
=======
<no events of interest were found>
root@monklp1:~# uname -a
Linux monklp1 4.2.0-25-generic #30~14.04.1-Ubuntu SMP Mon Jan 18 16:25:16 UTC 2016 ppc64le ppc64le ppc64le GNU/Linux
root@monklp1:~# dpkg -s auditd
Package: auditd
Status: install ok installed
Priority: extra
Section: admin
Installed-Size: 713
Maintainer: Ubuntu Developers <email address hidden>
Architecture: ppc64el
Source: audit
Version: 1:2.3.2-2ubuntu1
Depends: lsb-base (>= 3.0-6), init-system-helpers (>= 1.13~), libaudit1 (>= 1:2.2.1), libauparse0 (>= 1:2.3.1), libc6 (>= 2.17)
Suggests: audispd-plugins
| Breno Leitão (breno-leitao) wrote : | #12 |
Changing the tag 'verification-
| tags: |
added: verification-failed removed: verification-needed |
| no longer affects: | audit (Ubuntu) |
| Changed in openssh (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in shadow (Ubuntu): | |
| importance: | Undecided → Medium |
| Changed in openssh (Ubuntu Trusty): | |
| importance: | Undecided → Medium |
| Changed in openssh (Ubuntu Vivid): | |
| importance: | Undecided → Low |
| Changed in openssh (Ubuntu Wily): | |
| importance: | Undecided → Medium |
| Changed in shadow (Ubuntu Trusty): | |
| importance: | Undecided → Medium |
| Changed in shadow (Ubuntu Wily): | |
| importance: | Undecided → Medium |
| Changed in shadow (Ubuntu Vivid): | |
| importance: | Undecided → Low |
I'd like to re-validate this for myself before we mark it verification-
Marking back to verification-
| tags: |
added: verification-needed removed: verification-failed |
| Changed in openssh (Debian): | |
| status: | Unknown → Fix Released |
Verified for shadow: login correctly reports logins.
| bugproxy (bugproxy) wrote : | #15 |
------- Comment From <email address hidden> 2016-02-02 17:56 EDT-------
Thanks to Tyler and the Canonical crew!
Verified for openssh as well; it now correctly shows entries in aureport -l too.
Attached is a transcript from the two sessions testing shadow and openssh for audit support.
| tags: |
added: verification-done removed: verification-needed |
| Launchpad Janitor (janitor) wrote : | #17 |
This bug was fixed in the package shadow - 1:4.1.5.
---------------
shadow (1:4.1.
* debian/control, debian/rules: re-enable libaudit support. (LP: #1478087)
-- Mathieu Trudel-Lapierre <email address hidden> Fri, 22 Jan 2016 11:21:57 -0500
| Changed in shadow (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for shadow has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
| Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package openssh - 1:6.6p1-2ubuntu2.6
---------------
openssh (1:6.6p1-
* debian/control, debian/rules: enable libaudit support. (LP: #1478087)
openssh (1:6.6p1-
* Backport upstream reporting of max auth attempts, so that fail2bail
and similar tools can learn the IP address of brute forcers.
(LP: #1534340)
- debian/
-- Mathieu Trudel-Lapierre <email address hidden> Tue, 26 Jan 2016 10:38:35 -0500
| Changed in openssh (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
Setting the Vivid tasks to Won't Fix since it's been EOL for a little while.
| Changed in shadow (Ubuntu Vivid): | |
| status: | Triaged → Won't Fix |
| Changed in openssh (Ubuntu Vivid): | |
| status: | Triaged → Won't Fix |
| Changed in lightdm (Ubuntu Vivid): | |
| status: | Triaged → Won't Fix |
------- Comment From <email address hidden> 2015-07-28 21:47 EDT-------
Looks like LOGIN records are also omitted from ausearch (try ausearch -i). That seems to point to a libaudit issue.
Another strange thing is if it try to ltrace aureport or ausearch, it fails with a sigsegv.